The present invention relates generally to a cloud resource protection method applicable to a cloud computing environment, and more particularly, but not by way of limitation, to a system, method, and computer program product for assigning processes and/or applications runnable on a distributed system to classes, such that each class is associated with an access control policy.
As hardware-virtualization-based distributed systems scale and proliferate, new security issues arise, such as the increasing need for controls over interacting virtual machines (VMs) and the potential for exposure of sensitive data as VMs are cloned, resized, or migrated. Also, virtualization does not come for free. That is, virtualization levies at least a 2% to 7% CPU tax on top of the considerable memory overhead it imposes, along with the potential to “kill performance” across the board for all processes running on a host system in the event that one or more virtualized guest systems overload the host system. Nevertheless, the conventional methods for cloud computing require the overhead and risks associated with hardware virtualization.
An infrastructural methodology that would make cloud-computing without virtualization easy to implement, without losing the anticipated security benefits that brought virtualization into the cloud computing paradigm from the start, is needed to solve the above-mentioned problems in the conventional techniques. That is, to make a non-virtualized cloud infrastructure workable, process or application classes, deployable to any node on the cloud, can be the centerpiece of access control policies. In the conventional techniques, access control policies have been established based simply around who the logged-in user is. Some other conventional techniques consider distributed security models that provide for security rules to be assigned per process per node. In other conventional techniques, pools of resources or applications also can be secured as a set.
However, the conventional techniques fail to treat a process or application class as a basis for determining access to not only executable code but also at least some data, throughout a cloud computing infrastructure.